Legitimate ad network SDKs, such as Google's own AdMob SDK, offer app developers the libraries to distribute in-app ads and monetise free apps. The malicious ad network masquerades as a genuine one, largely but not exclusively targeting Russian-speaking users. The SDK has been installed on a range of apps including games, recipe, sex and dictionary apps, some of which are also aimed at English-speaking users.

"Because it's challenging to get malicious bad code into Google Play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," Lookout's principal security researcher Marc Rogers noted in an alert on Friday.

In violation of Google's developer terms, the malicious ad network causes the app to impersonates news messages, including fake alerts encouraging the user to install a "critical update" to Russian social network Vkontake, Skype, and other apps. The fake update attempts to lead the user to a website to install a premium rate SMS app and also sends the user's phone number and device ID to a command server.

The attackers took their cue from shady affiliate-based marketing websites, according to Rogers. Using an ad network to distribute malware is a "significant development" in mobile malware since it overcomes the hurdles placed at the gateway to app marketplaces, Lookout said.

Sidestepping Google protection

Google launched its server-side scanner Bouncer to fend off malicious submissions in early 2012, and late last year added a client-side malware scanner to Android 4.2 Jelly Bean that could be used to vet apps installed outside the official store.

The discovery of the malicious SDK follows reports last week from Russian security firm Dr Web that malware distributors were using Android in-app advertising to spread fake antivirus, bringing an old pest from the desktop to mobile.